# atmos secret init Walk the declared secrets for a stack and interactively initialize or rotate them. With `--stack` alone, the **whole stack** is provisioned: stack-scoped secrets once each plus every instance's instance-scoped secrets. With `--component`, only that instance is provisioned. Missing secrets are prompted with masked input; already-initialized secrets prompt to **update (rotate) or skip** — making `init` an easy way to rotate secrets manually. `--force` rotates them all without asking. ## Usage ```shell atmos secret init [flags] ``` `--stack` is required (prompted on a TTY when omitted); `--component` is optional — omit it to provision the entire stack. See [Secret scopes](/cli/commands/secret/usage#secret-scopes). ## Examples ```shell # Provision the whole stack (stack-scoped secrets + every instance's instance-scoped secrets) atmos secret init --stack=prod # Provision just one instance, prompting for each missing secret atmos secret init --stack=prod --component=api # Re-prompt for and overwrite secrets that are already initialized atmos secret init --stack=prod --component=api --force # Preview what would be initialized without prompting or writing atmos secret init --stack=prod --component=api --dry-run # Disambiguate a component that exists in multiple types atmos secret init --stack=prod --component=api --type=terraform # Provision using a specific identity for the backend atmos secret init --stack=prod --component=api --identity=aws/prod-secrets ``` ## Arguments - **n/a** No positional arguments. ## Flags - **`--stack` (alias `-s`)** The Atmos stack to operate on. **Required.** **Environment variable:** `ATMOS_STACK` - **`--component` (alias `-c`)** The Atmos component whose declared secrets are provisioned. **Required.** **Environment variable:** `ATMOS_COMPONENT` - **`--type`** The component type (`terraform`, `helmfile`, `packer`, or `ansible`). Used to disambiguate when a component name exists in more than one type. - **`--identity` (alias `-i`)** The identity to use when accessing the secret backend. **Environment variable:** `ATMOS_IDENTITY` - **`--force` (alias `-f`)** Re-prompt for and overwrite secrets that are already initialized. Without this flag, already-initialized secrets are skipped. - **`--dry-run`** Show which secrets would be initialized without prompting for values or writing anything to the backend. ## See Also - [atmos secret](/cli/commands/secret/usage) — Overview of the secret command group - [`!secret` YAML function](/functions/yaml/secret) — Resolve declared secrets at runtime